With the number of data breaches in 2021 surpassing that of 2020, the pressure is even greater on enterprise security teams in 2022. But burnout, declining staff morale and high employee turnover could put struggling businesses as they attempt to manage the growing cybersecurity threat.
Especially since employers are already faced with a major problem. Not only are the number of attempted cyberattacks increasing, but they also face added pressure from a tightening hiring market, and record levels of quits that are also affecting the tech sector.
Recruitment issues weigh on cybersecurity
This battle to attract talent could hit cybersecurity hard. According to a ThreatConnect survey of more than 500 IT decision makers, 50% of private sector companies have gaps in basic IT security technical skills.
Additionally, 32% of CIOs and 25% of CIOs plan to leave their jobs in the next six months, exposing employers to issues related to recruitment, management and IT security.
Many employees are attracted by the prospect of better pay and more flexible working conditions. But excessive workloads and performance pressures also take their toll. The ThreatConnect study shows that high stress levels were among the top three causes of employee departures, cited by 27% of respondents.
Beware of burnout
Burnout threatens cybersecurity in multiple ways. First, on the employee side. “Human error is one of the leading causes of data breaches in organizations, and the risk of causing a data breach or falling into a phishing attack only increases when employees are stressed and burnt out” , says Josh Yavor, chief information security officer (CISO/RSSI) at enterprise security solutions provider Tessian.
A study conducted by Tessian and Stanford University in 2020 found that 88% of data breach incidents were due to human error. Nearly half (47%) of respondents cited distraction as the main reason for getting caught up in a phishing scam, while 44% cited fatigue or stress.
” Why ? Because when people are stressed or burnt out, their cognitive load is high and that makes spotting the signs of a phishing attack much more difficult,” Josh Yavor told ZDNet.
Cybercriminals take advantage of these human factors
Hackers are also aware of this. “Not only do they make spear-phishing campaigns more sophisticated, but they target recipients in the late afternoon, when people are most likely to be tired or distracted. Our data showed that most phishing attacks are sent between 2 p.m. and 6 p.m. »
Carlos Rivera, an adviser at Info-Tech Research Group, believes that the role burnout plays in a company’s vulnerability to phishing attacks should not be overlooked or underestimated. So it’s good practice to create a phishing simulation initiative as part of an organization’s security awareness program, he tells ZDNet. “This program can be optimized by imposing one hour of training per year, which can be divided into training sessions of five minutes per month and 15 minutes per quarter”, explains Carlos Rivera.
“In order to have the most impact on the effectiveness of your training, base it on topics from the news that usually manifest themselves in the form of tactics, techniques and procedures used by hackers,” advises -he.
Reframing the role of cybersecurity leaders
A report by analyst Gartner recently argued that the role of the cybersecurity manager needs to be “reframed”: instead of primarily dealing with risks within the IT department, they must make decisions about the risks associated with the executive-level information and ensuring that business leaders have comprehensive cybersecurity knowledge.
The analyst predicts that, by 2026, 50% of middle managers will have performance requirements related to cybersecurity risk built into their employment contract. This means that cybersecurity leaders will have less direct control over many of the IT decisions that fall within their purview today.
“Cybersecurity leaders are exhausted, overworked, and in ‘always-on’ mode,” said Sam Olyaei, research director at Gartner. “This is a direct reflection of the elasticity of the role over the past decade due to the growing mismatch of stakeholder expectations within their organization. »
CISO burnout affects the entire company
Josh Yavor also says it’s critical to consider how burnout affects safety teams and the ripple effects for the entire organization.
According to Tessian’s study, security managers work an average of 11 hours more per week, and one in ten managers work up to 24 hours more per week. Much of that time is spent investigating and remediating threats caused by employee errors, and even when they log off, some 60% of CISOs find it difficult to detach from work due to stress.
“If CISOs are experiencing this level of burnout, imagine the impact this has on the entire organization as well as the people they work with. You will lose good players if the teams are constantly exhausted. »
Glorify overwork
The culture around cybersecurity must also change. According to Josh Yavor, this culture wrongly idolizes overtime and the sacrifice of personal well-being for the good of the company. “As security managers, some of our most exciting stories involve spending all-nighters defending the organization or investigating a threat. But we often fail to recognize that the need for heroism usually indicates a state of failure, and that it is not sustainable,” he says.
“As leaders, it is essential that CISOs lead by example and prepare their teams for sustainable operational work. You have to make sure that you have confidence in the limits set – when you’re on call, you’re on call – and that the whole team feels supported. Carlos Rivera points out that the growing popularity of telecommuting could increase the tendency of staff to work longer hours, which could “contribute to burnout, unaccounted absences and, in some cases, a turnover rate. higher than expected”.
Security teams should work with other departments to raise organizational awareness of the issue of burnout and overwork, Carlos Rivera believes, which could help managers identify single points of failure and instill a culture of resilience within the company.
“Organizations run less risk when they introduce security as early as possible in the development process and use tools to automate and support this goal,” he insists.
Better communication is essential
On the technical side, having a continuous improvement/continuous delivery (CI/CD) pipeline in place – and deploying tools like an integrated development environment (IDE) – will give organizations the best chance of success. “An IDE consists of a source code editor, a debugger, and build automation tools to provide the developer with self-service capabilities and identify errors in near real-time. An integrated development environment combined with static analysis security testing and automated open source analysis in the build pipeline will effectively reduce defects,” adds Carlos Rivera.
Like any job function, communication is also essential. CISOs need to better communicate their capacity constraints, which Josh Yavor says will set a precedent within the organization by admitting their own limitations.
Don’t hesitate to say “it’s impossible for me to do these things, with the resources and the constraints that we currently have”, he advises. “There is this unfortunate tendency towards heroism in the security sector – and this mindset needs to change. »
Source: ZDNet.com